The first timeline of 2020 is finally here! In the first half of January I have collected 68 events, a number that shows how the new year has started with an apparent decrease.

In this fortnight malicious actors have continued to target vulnerable VPN systems from Pulse Secure (CVE-2019-11510), and the unpatched vulnerability on Citrix systems (CVE-2019-19781) to distribute malware, predominantly ransomware. Effectively ransomware has characterized the end of 2019, and according to the first timeline, the beginning of 2020 doesn’t seem that different.

Another important event that has characterized this timeline is the cyber activity of Iran: the tension between USA and Iran, following the murder of Qasem Soleimani, has contributed to worsen a scenario (Iranian attackers have immediately defaced some US entities), which was already quite complicated. On December 29, 2019, Iranian attackers are suspected to have hit Bapco, the Bahrain’s national oil company, with a new data-wiping malware dubbed Dustman; additionally researchers have revealed that multiple state-sponsored groups affiliated to Iran, have been probing the American electric utilities during 2019.

The cyber espionage front has seen multiple operations: the Austrian foreign ministry has been targeted targeted by a cyber-attack allegedly carried out by a foreign country, APT28 has launched a malicious campaign against Burisma, the Ukrainian gas company with whom Hunter Biden worked, and researchers have also discovered a new operation by the SideWinder APT Group, targeting military entities, via malicious Android apps.

As always, browse the timeline for all the details, and feel free to share it with your peers to support my work and spread the risk awareness across the community. Last but not least, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.

ID

Date

Author

Target

Description

Attack

Target Class

Attack Class

Country

Link

Tags

1

02/01/2020

Chuckling Squad

Adam Sandler's Twitter account

Adam Sandler's Twitter account is hacked and used to post offensive messages against Mariah Carey, President Obama, and President Trump.

For the same reason, a group of Iranian hackers dubbed "Shield Iran" defaces the Sierra Leone Commercial Bank

Defacement

K Financial and insurance activities

CW

SL

Shield Iran, Sierra Leone Commercial Bank, slcb.com

9

04/01/2020

?

Multiple targets

Researchers from Fortinet report that a ransomware strain known as DeathRansom, once considered a joke, is now capable of encrypting files using a solid encryption scheme.

Malware

Y Multiple Industries

CC

>1

Fortinet, ransomware, DeathRansom

10

04/01/2020

?

Saskatchewan’s eHealth

Hackers make through the first level of security for Saskatchewan’s eHealth records system, locking the government out of some systems and asking for a ransom.

Unknown

Q Human health and social work activities

CC

US

Saskatchewan’s eHealth

11

06/01/2020

Iranian Hacker

Texas Department of Agriculture

The Texas Department of Agriculture is hit with a cyberattack that defaces its website with an image of Gen. Qassem Soleimani, the top Iranian commander who was killed in a U.S. strike the previous week.

Defacement

O Public administration and defence, compulsory social security

CW

US

Texas Department of Agriculture, Qassem Soleimani, Iranian Hacker

12

06/01/2020

SideWinder APT Group

Military entities

Researchers from Trend Micro discover the first example of a malicious app in the Google Play Market, exploiting the recently patched CVE-2019-2215 zero-day vulnerability.

Targeted attack

O Public administration and defence, compulsory social security

CE

>1

Trend Micro, Google Play Market, CVE-2019-2215

13

06/01/2020

?

Canyon

Canyon announces it was struck by a "massive cyber attack" over the Christmas break by a "professionally organized group".

Unknown

C Manufacturing

CC

DE

Canyon

14

06/01/2020

?

Focus Camera

Researchers from Juniper Threat Labs reveal that the website of popular photography and imaging retailer Focus Camera got hacked late in December 2019 by MageCart attackers to inject malicious code that stole customer payment card details.

Malicious Script Injection

G Wholesale and retail trade

CC

US

Focus Camera, Magecart, Juniper Threat Labs

15

06/01/2020

?

Single Individuals

Researchers from Fortinet discover a new campaign of the "Predator the Thief" malware.

A new phishing campaign tries to take advantage of the Iran cyber attack scare.

Account Hijacking

X Individual

CC

>1

Iran

23

07/01/2020

Master X

Multiple targets

Researchers from AppRiver reveal that a hacker with the handle “Master X” is leveraging a PowerShell script that contains a reference to singer-songwriter Drake lyric’s “Kiki Do You Love Me” to deliver either the Lokibot info stealer or Azorult remote access trojan.

Malware

Y Multiple Industries

CC

>1

AppRiver, Master X, Drake, Lokibot, Azorult

24

07/01/2020

?

Enloe Medical Center

Enloe Medical Center is hit by a ransomware attack that causes the hospital to reschedule some elective procedures.

Malware

Q Human health and social work activities

CC

US

Enloe Medical Center, ransomware

25

07/01/2020

?

City of Bend

The City of Bend is the latest victim of the Click2Gov breach.

Malicious Script Injection

O Public administration and defence, compulsory social security

CC

US

City of Bend

26

08/01/2020

?

US financial entity

The FBI says that unidentified threat actors have used the CVE-2019-11510 Pulse Secure VPN flaw "to exploit a notable US financial entity’s research network since August 2019.

CVE-2019-11510 vulnerability

K Financial and insurance activities

CC

US

FBI, CVE-2019-11510, Pulse Secure VPN

27

08/01/2020

?

US municipal government

The FBI says that also a US municipal government was breached via the CVE-2019-11510 Pulse Secure VPN flaw.

CVE-2019-11510 vulnerability

O Public administration and defence, compulsory social security

CC

US

FBI, CVE-2019-11510, Pulse Secure VPN

28

08/01/2020

?

Well-known personalities in Korea

A recent report from South Korean media claims that Samsung Galaxy smartphones of many well-known personalities in Korea were hacked. According to the report, the hacker extorts cash from its victims. If the victim fails to pay the ransom, the hacker threatens to disclose all data.

Researchers from Kaspersky reveal the details of a new wave of attacks linked to Operation AppleJeus, and targeting cryptocurrency business in multiple countries including UK, Poland, Russia and China.

Targeted attack

V Fintech

CC

>1

Kaspersky, Operation AppleJeus, Lazarus Group

32

08/01/2020

?

Firefox users

Mozilla warns Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users. The vulnerability is indexed as CVE-2019-17026.

Targeted attack

X Individual

CC

>1

Mozilla, Firefox

33

09/01/2020

Iranian state-sponsored hackers

Bapco

Multiple sources reveal that Iranian state-sponsored hackers have deployed Dustman, a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company. The attack occurred on December 29, 2019.

Malware

D Electricity gas steam and air conditioning supply

CW

BH

Dustman, Bapco, Iran

34

09/01/2020

?

Albany International Airport

Albany International Airport's staff announces that the New York airport's administrative servers were hit by Sodinokibi Ransomware following a cyberattack that took place over Christmas.

Malware

H Transportation and storage

CC

US

Albany International Airport, Ransomware, Sodinokibi

35

09/01/2020

Magnallium AKA APT33, Refined Kitten, or Elfin

American Electric Utilities

Researchers from Dragos reveal that a state-sponsored group affiliated to Iran called Magnallium has been probing American electric utilities for the past year.

Password-Spaying

D Electricity gas steam and air conditioning supply

CW

US

Dragos, Iran, Magnallium, APT33, Refined Kitten, Elfin

36

09/01/2020

Xenotyme, Dymalloy, Electrum

American Electric Utilities

The same report details the activities of three additional groups targeting the American Electric Utilities.

Targeted attack

D Electricity gas steam and air conditioning supply

CW

US

Xenotyme, Dymalloy, Electrum, Dragos

Split

37

09/01/2020

?

Android users

Google reveals to have removed roughly 1,700 applications infected with the Joker Android malware (also known as Bread) since the company started tracking it in early 2017.

Malware

X Individual

CC

>1

Android, Bread, Joker, Google

38

09/01/2020

?

Multiple targets

A new ransomware dubbed Ako emerges in the threat landscape.

Malware

Y Multiple Industries

CC

>1

Ako, Ransomware

39

09/01/2020

?

Multiple targets

Researchers at Sentinel One reveal that the Russian-speaking cybercriminals behind the TrickBot malware have developed a stealthy backdoor dubbed “PowerTrick,” in order to infiltrate high-value targets.

Malware

Y Multiple Industries

CC

>1

Sentinel One, TrickBot, PowerTrick

40

09/01/2020

?

City of Dunwoody

The City of Dunwoody reveals to have been hit by a cyber attack during the Christmas Eve.

Malware

O Public administration and defence, compulsory social security

CC

US

City of Dunwoody

41

09/01/2020

?

btyDental

btyDental notifies patients after suffering a ransomware attack discovered on November 2019.

Malware

Q Human health and social work activities

CC

US

btyDental, ransomware

42

09/01/2020

?

Bartlett Public Library District

The Bartlett Public Library District’s computer systems recovers from a ransomware attack occurred on Saturday, November 30.

Malware

O Public administration and defence, compulsory social security

CC

US

Bartlett Public Library District, ransomware

43

09/01/2020

?

City of Dawson Creek

The City of Dawson Creek says its computer systems were hacked in an apparent ransomware attack.

Malware

O Public administration and defence, compulsory social security

CC

CA

Dawson Creek, Ransomware

44

10/01/2020

?

Manor Independent School District

Manor Independent School District announces that email scammers had fleeced the District out of $2.3 million.

Business Email Compromise

P Education

CC

US

Manor Independent School District

45

10/01/2020

?

European websites for Perricone MD

Researchers from RapidSpike reveal that multiple european websites for the Perricone MD anti-aging skin-care brand have been compromised with scripts that steal customer payment card info when making a purchase.

Malicious Script Injection

G Wholesale and retail trade

CC

>1

Perricone MD, RapidSpike, Magecart

46

10/01/2020

?

Multiple targets in the US

The US Cybersecurity and Infrastructure Security Agency (CISA) alerts organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit the CVE-2019-11510 remote code execution (RCE) vulnerability.

Website collecting donations for the victims of the Australia bushfires

Researchers from Malwarebytes discover that attackers compromised a website collecting donations for the victims of the Australia bushfires and injected ATMZOW, a malicious script that steals the payment information of the donors.

Malicious Script Injection

Q Human health and social work activities

CC

AU

Magecart, Malwarebytes, ATMZOW

48

10/01/2020

?

Single Individuals

A malicious ad campaign is underway in Google Search results that leads users to fake Amazon support sites and tech support scams.

Search Engine Poisoning

X Individual

CC

>1

Google Search, Amazon

49

10/01/2020

?

High-profile Facebook pages

Facebook addresses a security issue that exposed page admin accounts, after the bug was exploited in attacks in the wild against several high-profile pages.

Facebook Vulnerability

X Individual

CC

>1

Facebook

50

10/01/2020

?

Android users

Researchers from Malwarebytes discover that the UMX U686CL, an Android phone subsidized by the US government for low-income users comes preinstalled with malware (Android/Trojan.HiddenAds.WRACT).

Malware

X Individual

CC

US

Malwarebytes, UMX U686CL, Android, Android/Trojan.HiddenAds.WRACT

51

10/01/2020

?

Boing Boing

The popular Boing Boing blog is hacked by an unknown party who plants malicious code into the site’s WordPress theme. Users visiting the site from desktop computers are redirected to a fake download page for an Adobe Flash update.

Account Hijacking

J Information and communication

CC

US

Boing Boing, Adobe Flash

52

10/01/2020

?

The Center for Facial Restoration

The Center for Facial Restoration reveals to have been victim of hack back in November 2019, with the attackers threatening to release the patients' data.

Unknown

Q Human health and social work activities

CC

US

The Center for Facial Restoration

53

10/01/2020

?

Los Angeles County

Los Angeles County confirms it was the target of a phishing attack last month, which staff detected and contained before it exposed any county resident data.

Account Hijacking

P Education

CC

US

Los Angeles County

54

11/01/2020

?

Android users

Researchers from Kaspersky reveal that an Android malware, dubbed Trojan-Dropper.AndroidOS.Shopper.a, camouflaged as a system app is used by threat actors to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more.

Researchers from Cofense reveal that after almost a three-week holiday vacation, the Emotet trojan is back and targeting the over eighty countries with malicious spam campaigns.

Malicious Spam

X Individual

CC

>1

Cofense, Emotet

56

13/01/2020

?

UNIX Systems

The security team at npm takes down a malicious package, discovered by the Microsoft Vulnerability Research team and named 1337qq-js, caught stealing sensitive information from UNIX systems.

Malicious npm package

Y Multiple Industries

CC

>1

npm, Microsoft Vulnerability Research team, 1337qq-js,UNIX

57

13/01/2020

?

Android users

An Android banking Trojan dubbed Faketoken has recently been observed by security researchers from Kaspersky while draining its victims' accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world.

Malware

K Financial and insurance activities

CC

>1

Android, Faketoken, Kaspersky

58

13/01/2020

?

Account receivable specialists

Researchers from Agari discover a new group called Ancient Tortoise targeting accounts receivable specialists tricking them into sending over aging reports and thus collecting info on customers they can scam in later attack stages.

Business Email Compromise

K Financial and insurance activities

CC

>1

Agari, Ancient Tortoise

59

13/01/2020

?

Company in the medical tech sector

Researchers from Guardicore reveal the details of an attack targeting a company in the medical tech sector via a malware hiding its modules in WAV audio files and spreading to vulnerable Windows 7 machines on the network via EternalBlue.

Malware

C Manufacturing

CC

N/A

Guardicore, WAV, EternalBlue, Crypto

60

14/01/2020

Fancy Bear AKA APT28

Burisma

Researchers from Area 1 reveal that Russian spies from GRU are suspected of trying to hack into Burisma, the Ukrainian gas company with whom Hunter Biden worked.

Targeted attack

D Electricity gas steam and air conditioning supply

CE

UA

Area 1, Burisma, GRU, Hunter Biden, Russia, APT28, Fancy Bear

61

14/01/2020

Omnichorus

LimeLeads

49 million user records extracted from a misconfigured Elasticsearch database by US data broker LimeLeads are put up for sale online.

Misconfiguration

M Professional scientific and technical activities

CC

US

Elasticsearch, LimeLeads, Omnichorus

62

14/01/2020

?

Single Individuals

The cybercrime group behind Satan ransomware and other malware seems to be involved in the development of a new ransomware named 5ss5c.

The New Mexico Public Regulation Commission is "hacked by an outside source"

Unknown

O Public administration and defence, compulsory social security

CC

US

New Mexico Public Regulation Commission

65

15/01/2020

?

United Nations

The United Nations is hit by a cyberattack through the malware Emotet.

Malware

U Activities of extraterritorial organizations and bodies

CC

N/A

United Nations,Emotet

66

15/01/2020

?

P&N‌ Bank

P&N‌ Bank in Western Australia informs its customers that hackers may have accessed personal information stored on its systems following a cyber attack on December 12, during an upgrade at a third-party hosting company.

Unknown

K Financial and insurance activities

CC

AU

P&N‌ Bank

67

15/01/2020

?

PlanetDrugsDirect

Canadian online pharmacy PlanetDrugsDirect emails customers, notifying them of a data security incident that might have impacted some of their sensitive personal and financial information. 400,000 individuals are potentially compromised.